find-relevant-case
Search for existing cases related to specific indicators or entities. Use to find correlation with other investigations before starting new analysis. Takes search terms and returns matching case IDs.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/find-relevant-case/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is functional and covers both what the skill does and when to use it, which is its strongest aspect. However, it relies on somewhat jargon-heavy terms without providing enough natural language variations that users might employ, and the domain specificity could be improved to reduce potential conflicts with other search-oriented skills.
Suggestions
Add more natural trigger terms users might say, such as 'lookup cases', 'find related incidents', 'IOC search', 'check existing investigations', or 'correlate threats'.
Clarify what 'indicators' and 'entities' mean in context (e.g., 'IP addresses, domains, file hashes, threat actors') to improve both specificity and trigger term coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names a domain (case search/investigation correlation) and describes the action (search for cases, find correlation, return matching case IDs), but the actions are somewhat narrow and the domain terms like 'indicators' and 'entities' are vague without further elaboration of what types. | 2 / 3 |
Completeness | Clearly answers both 'what' (search for existing cases related to specific indicators or entities, returns matching case IDs) and 'when' (use to find correlation with other investigations before starting new analysis). The 'Use to...' clause serves as an explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'cases', 'indicators', 'entities', 'investigations', 'search terms', and 'case IDs', but these are somewhat specialized/jargon-heavy. Missing common user-facing variations like 'lookup', 'find cases', 'IOC', 'threat intelligence', or file type references that users might naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | The description is somewhat specific to case/investigation search, but terms like 'search', 'entities', and 'indicators' are broad enough to potentially overlap with other search or investigation-related skills. The mention of 'case IDs' helps narrow it, but the overall scope could still conflict with general search or threat intelligence skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable structure for finding relevant cases but falls short on actionability—the core tool calls use placeholder values without showing concrete filter construction. The workflow is logically sequenced but lacks validation steps and concrete examples of what search filters look like. The Limitations section is a useful addition that acknowledges real constraints.
Suggestions
Provide a concrete, executable example of constructing the filter for list_cases (e.g., show the actual filter syntax for searching by IP address or hostname)
Add a validation step after Step 3 to verify results are non-empty and handle the zero-results case explicitly
Include a concrete example showing a complete search-to-results flow with sample input terms and expected output format
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient but includes some unnecessary explanation (e.g., the 'Note' in Step 1 about limited ability is somewhat hedging). The Limitations section adds useful context but could be tighter. | 2 / 3 |
Actionability | Provides some concrete tool calls (list_cases, get_case_full_details) but they use placeholder variables like 'constructed_filter' without showing how to actually construct the filter. The code is pseudocode-level rather than executable. | 2 / 3 |
Workflow Clarity | Steps are listed in a clear sequence, but there are no validation checkpoints or error handling steps. Step 1 says 'build a filter' without specifying how, and the optional Step 4 refinement lacks clear criteria for when to trigger it. | 2 / 3 |
Progressive Disclosure | For a skill of this size and complexity, the content is well-organized with clear sections (Inputs, Workflow, Outputs, Limitations). No external references are needed and the structure is easy to navigate. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.